T-Mobile, Citizens Bank, thousands of other innocent companies and millions of users are stuck between shady ad networks and Google, publishers, and legitimate advertisers

UPDATE: Flash Networks comments have been added to the original story.

LAS VEGAS - An ongoing conflict between website owners and ad injectors who place unwanted ads on those websites has just flared up into full-blown war, with advertisers and carriers caught in the crossfire.

Take, for example, T-Mobile, which is proudly named as a customer by Flash Networks, a company that brags about creating "new monetization opportunities" for mobile operators when it "inserts the most relevant engagement display into the selected webpages."

This seems to have been a surprise to T-Mobile. Cynthia Lee, the company's senior digital media manager, adamantly denied that T-Mobile was using Flash Networks to inject ads into webpages it was serving up to mobile customers.

"It's completely against our strategy," she said. "Consumer experiences and customer privacy are at the top of our list and a pillar of how we execute our media."

This is a sketchy and morally suspect practice that is unfortunately all-to-common among ISPs.

Ken Smith, senior consultant at SecureState

At least one of those companies is an actual customer -- an Indian blogger discovered that his Internet Service Provider, Bharti Airtel, was inserting unwanted JavaScript into his website. He posted screenshots on GitHub, and got a cease-and-desist letter from Flash Networks in response.

Bharti Airtel issued a statement that they had no relation to the cease-and-desist notice -- and said that the injected code was only there "to help customers understand their data consumption in terms of volume of data used."

They did not explain why this required injecting Javascript into other companies' webpages.

According to Flash Networks' president and CEO Liam Galin, T-Mobile is not a customer of the company's monetization services, but one of the other products. Flash Networks also offers services that help mobile carriers boost network speed and optimize video and web traffic.

And when it comes to the Layer8 monetization product, he said, the main use is billing notifications, such as letting users know that their quotas are about to expire.

"In cases where the platform is expanded to be used as an advertising platform, prior user consent is needed," he added.

The advertising is in the form of a "non-obtrusive page curl," he said,

"Bundling the Flash Networks solution with malware and other ad-injectors does not demonstrate industry understanding," he said. "We stick to the most stringent privacy and regulation demands."

According to an emailed statement from the company the product allows carriers "to monetize a never before seen scale of new monetization opportunities" and while "the Layer8 solution is not malware and not intended for ad injection," the company's "injected code... can be used to offer ringtones, ebooks, and local offers."

Up to 30 percent of Web users are currently seeing extra ads on websites, injected by their mobile carriers, Internet providers, WiFi hotspots, malware, toolbars, and browser extensions, according to new research from Namogoo Technologies. This is up from 5 percent during the first nine months of 2014, when Google ran its own analysis.

In the below screenshot, for example, the Ad Options ad network has inserted an unwanted ad on the home page of the Citizens Bank website.

According to a recent report by Google, a single injected ad is typically funneled through several different ad networks, so that the advertisers are not even aware that this is happening.

That is the case with Citizens Bank, which confirmed that it did not deliberately purchase the injected ads, and is investigating the situation.

Not only are the ads on these networks intrusive and unwanted, but because the networks are not well policed, more likely to be malicious or subject to click fraud.

Google steps in

Search engines are victims, too. Ad injectors insert their ads right into search results, getting top placement without having to pay the search engines a dime.

But in going after the search engines, the ad injectors may have taken a step too far. Picking a fight with Google is seldom a good idea.

Three months ago, Google released the results of a study that found more than 50,000 browser extensions and 34,000 software applications that took over browsers and injected ads. A third of these also took the opportunity to steal account credentials, hijack search results, and spy on users' activities.

Google has already removed 192 deceptive Chrome extensions from the Chrome Web Store and added new safeguards to the browser. It also has begun notifying advertisers when their ads are injected and updated their AdWords policies to make it harder to promote unwanted software.

The ad injectors can put their ads right into the middle of a webpage, or create new links where they find keywords, or anywhere there is blank space, or replace existing legitimate ads, or layer new ads on top of the page blocking the view of legitimate content.

Browser-based ad injectors get an extra bonus, with full access to even encrypted websites, or pages served via VPNs.

Injections aided and abetted by network operators typically have access to the underlying code only for unencrypted webpages, though some carriers have been known to go as far as interfere with the encryption, as Gogo Inflight Wi-Fi was caught doing earlier this year.

How is this legal?

Users routinely use tools that change the way that websites are presented. They might want a page reformatted so that it's easier to print, or translated into a foreign language.

A user might deliberately choose to install a tool that, say, shows prices from competitors whenever they're on a major shopping website.

Or they might accidentally install a tool that came bundled with an application that they actually wanted -- and agreed to the terms and conditions without reading them.

"The ad injection is not criminal," said Elias Manousos, CEO at security vendor RiskIQ, which tracks malvertising and other external Web-based threats.

It's when the ad injectors are installed by malware that it's illegal, he said. Otherwise, there's no law on the books that protect the consumers.

"There are deceptive trade practices that the FTC enforces, but it's pretty weak," he said. And if a particular injected ad is illegal in a particular state, it's hard to prove because it's difficult to catch anyone in the act.

The advertising networks are interlinked in a byzantine web of relationships that make it hard to locate the exact point at which an ad went from a legitimate ad to an injected ad.

"The ad ecosystem is very, very private about who their customers are and who their publishers are," said Manousos. "So it's very easy to turn a blind eye to where the problems are coming from and it allows them to monetize their unethical installs."

He estimated the size of the injected ad industry at between $1 billion and $4 billion globally.

"Our approach is to help customers find who the bad actors are, and eliminate them," he said.

According to Google, 77 percent of all injected ads get funneled through three major intermediaries that connect the legitimate ad networks with the less savory ones: DealTime, PriceGrabber, and BizRate.

"They serve as the single critical bottleneck before ad injection traffic enters the ad ecosystem and becomes indistinguishable from legitimate consumer interest," wrote Google research scientist Kurt Thomas in a recent research paper about ad injection. "We have begun to reach out to these major intermediaries as well as the brands impacted by ad injection to alert them of the possibility of receiving ad injection traffic."

Google also identified Sears, Walmart, Target and Ebay as some of the companies most victimized by ad injectors. Ironically, Ebay also owns DealTime.

As of deadline, Ebay has not responded to a request for comment.

What can you do?

According to Google research scientist Kurt Thomas, website owners can protect their sites in a few ways.

Tips for dealing with ad injection

Don't buy ads that are injected into competitors' websites or are distributed through iffy networks.

Train employees to be careful about the freebie software they install on their computers.

Make sure your employees have a secure VPN to use when logging in from insecure networks, and that they know how to use it.

Stay on top of best Web development practices to make it as difficult as possible for attackers to modify your pages. In addition, if you run external Javascript code, host it on your own servers whenever possible, so that you can be sure that the libraries haven't been tampered with.

Find a way to monitor the site for potential compromise. For example, set up a cluster of infected machines, or use a security vendor, to see how big a problem you have, and whether the steps you're taking are addressing the problem.

Let your customers help. Make it easy for your web visitors to report them to you or send you screenshots.

Bring in outside help.

"Developers can measure their own ad injection levels by executing our client-side measurement, or go one step further and prevent or revert DOM modifications produced by ad injectors," he wrote in a recent research paper. "Equally important, if websites switched to HSTS it would prevent network providers and HTTP-only binary proxies from intercepting and tampering with client traffic."

Browser-based content security policies can be used to detect if webpages are being modified, said RiskIQ's Manousos.

"But a lot of the ad injection companies have found ways around [content security policies]," he added. "Just like anything, it's a cat-and-mouse game."

Meanwhile, corporate employees have yet another reason to be careful when using public networks.

"You should use VPNs, because VPNs will totally protect against this attack," said Manousos. "It creates a secure tunnel regardless of what WiFi access point you're connected to."

RiskIQ offers a solution that can help a website or corporate network detect if ad injection is going on, he said.

Injected ads pose risks to enterprises because attackers can purchase highly targeted placements, zeroing in on individual companies or even individual employees, and hijacking websites that company employees are most likely to visit.

The company doesn't currently block the injection itself, however, though it is considering offering such a service.

Another company that can help is Shape Security.

Shape Security works by constantly rewriting the underlying code of the webpage, making it a hard-to-hit moving target not only for would-be ad injectors but other automated attacks. The company calls this polymorphism.

"If you can break that automation, you can make the ecosystem for attacking websites much more difficult for attackers," said company vice president Shuman Ghosemajumder.

Google's crack down on browser extensions is a good start but it doesn't address all sources of client-side injected ads and malware, said Chemi Katz, cofounder and CEO of Namagoo Technologies, which offers a service to enterprises that protects websites from all unwanted changes.

"While Google is aware of 192 unique signatures, we are aware of over 25,000 different ones," he said.

Namogoo handles both browser-based and network-based injections, said Katz.

Namogoo's Katz declined to explain how his company's service works, other than to say that website owners only need to add a line of code to be protected.

"The technology comes as part of the page," he said. "It runs silently and identifies any anomalies and blocks them."

It works to protect against injections from malware, browsers and toolbars, as well as from Internet access providers, he said.

And that includes Flash Networks' Layer8, said Namogoo COO Ohad Greenshpan. "Our technology serves publishers and provides them the technology to serve their pages as they intended."

Advertisers need to protect themselves as well. Though the ads can seem like a bargain, disreputable networks are least likely to be protecting against click fraud, and there can be reputation damage when ads are injected into sites where they clearly don't belong, or are overly intrusive.

"If you want to really stop the problem, you have to stop the flow of money," said RiskIQ's Manousos.